18.10.90.2 (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'

Information

This policy setting enables or disables networking in the Windows Sandbox. Networking is achieved by creating a virtual switch on the host, and connecting the Windows Sandbox to it via a virtual Network Interface Card (NIC).

The recommended state for this setting is: Disabled

Note: The Windows Sandbox feature was first introduced in Windows 10 R1903, and allows a temporary 'clean install' virtual instance of Windows to be run inside the host, for the ostensible purpose of testing applications without making changes to the host.

Disabling network access decreases the attack surface exposed by the Windows Sandbox and exposure of untrusted applications to the internal network.

Note: Per Microsoft, enabling networking in the Windows Sandbox can expose untrusted applications to the internal network.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Sandbox\Allow networking in Windows Sandbox

Note: This Group Policy path is provided by the Group Policy template WindowsSandbox.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer).

Impact:

Network access to/from the Windows Sandbox will be disabled. Therefore, files will not be able to be moved to/from the Windows Sandbox via the network.

See Also

https://workbench.cisecurity.org/benchmarks/17129

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: Windows

Control ID: 3cff2438e6fedb0a6edfaac48b3b683eee981f78ef531c67071155de531120c7